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What's new ? 


PRODAFT Threat Intelligence (PT!) Team has obtained valuable insights on the 
inner workings of the Conti ransomware group. The PTI team accessed Conti's 
infrastructure and identified the real IP addresses of the servers in question. This report 
provides unprecedented detail into the way the Conti ransomware gang works, how 
they select their targets, how many targets they've breached, and more. 


Why does it matter? 


Ransomware attacks are increasing in severity and frequency, threatening major 
institutions and placing enormous strain on supply chains that are already stretched 


thin. Conti has shown itself to be a particularly ruthless group, indiscriminately 
targeting hospitals, emergency service providers, and police dispatchers. This report 
contains the latest and most accurate data available on one of the most dangerous 
ransomware groups in existence. 


Conti also earned a reputation for not delivering decryption keys even after 
victims pay. However, simply telling companies not to pay isn’t enough to solve 
the problem. Our mission is to equip executives, legal advisors, insurers and law 
enforcement agents with intelligence and unique insights that helo them understand 
the threat, manage the risk more effectively, and find better practical solutions to 
deal with its consequences. 
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1 Introduction 


Ransomware attacks work by encrypting the victim's business-critical data, rendering it 
inaccessible. After triggering the attack, cybercriminals will offer to sell a decryption key to 
the victim. If the victim doesn't comply, they simply have to accept the catastrophic loss of 
their most valuable data. 


Some ransomware attacks use a two-pronged strategy. Attackers will demand a ransom 
payment for decrypting data, and threaten to publicly publish sensitive data if the ransom 
is not paid by a certain deadline. (“Double Extortion"). 


Ransomware has been in use for decades, but it has surged in popularity among 
cybercriminals in recent years. Multiple factors contribute to this rise, including the 
development of cryptocurrency that enables near-anonymous payments, the widespread 
digitalization of sensitive data, and the release of sophisticated ransomware-as-a-service 
criminal business models. Ransomware losses are likely to exceed $20 billion by the end of 
2021 [4]. 


Ransomware can be separated into two basic groups : 
e Fully Automated Ransomware (FAR), and 
e Semi-Automated Ransomware (SAR) 


In FAR cases, ransomware generally infects the system via phishing emails or malicious 
web pages that contain the malicious payload. The malware contains the code to spread 
throughout the network, identify sensitive filles, encrypt them, and display a ransom note for 
the victim. Threat actors who use FAR mostly focus on lightweight distribution channels that 
are easily automated — they tend to stay away from making direct contact with victims. FAR 
attacks do not typically succeed against enterprise-level organizations with a wide range 
of detection and prevention tools. Victims of FAR attacks tend to be more cautious about 
paying the ransom because the automated system doesn't instill a great degree of trust. In 
many cases, victims will ask to be transferred to a human representative, who will negotiate 
on behalf of the cybercrime organization. 


SAR attacks can be more sophisticated since they rely on manual interaction between 
cybercriminals and their victims. In these cases, attackers may use zero-day exploits, or they 
may rely on known vulnerabilities that haven't yet been patched — even within hours of the 
patch release. Our team has observed SAR attackers buying RDP or VPN credentials directly 
from other hackers on underground markets. Upon successful entry, these attackers use 
common penetration testing tools for lateral movement within the victim's network. They 
then escalate their privileges, start encrypting, and trigger the ransomware attack. 


Modern cybercrime organizations use a hierarchical workflow to monetize operations. 
The "X-as-a-Service” model has become popular among criminals since each step of an 
advanced attack kill chain requires different skills. This report will demonstrate how this 
business model works and provide in-depth insight about the illicit economy it perpetuates. 
These findings will help other researchers understand the working dynamics of other groups 
that operate in the ransomware industry. 
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The group this report focuses on is called "Conti", which appears to be identical with the 
group known as “Wizard Spider". It is a criminal organization behind advanced ransomware 
technologies known as Ryuk and Hermes. We won't focus on sample analysis, as many 
reputable sources already offer this kind of technical information. Instead, this report is the 
first to presents findings regarding behind-the-scenes information on how the ransomware 
group operates. 


Enterprise leaders, cybersecurity executives, and risk advisors can use this report's findings to 
better prepare their organizations against ransomware attacks. Proactive threat intelligence 
is key to identifying the factors that contribute to cybercrime trends and preventing threat 
actors from exploiting enterprise vulnerabilities. 


Please note that this report has two versions. The “Private Release” is provided to law 
enforcement agencies, applicable CERTS / CSIRTS, and members of our U.ST.A. Threat 


Intel Platform (with appropriate annotations and reductions). Likewise, the “Public 
Release” is publicly disseminated for the purpose of advancing global fight against 
high-end threat actors and APTs. 
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2 Executive Summary 


2.1 Overview 


Conti ransomware frequently makes headlines due to the high-profile organizations it 
often targets, as well as the high ransoms its negotiators demand. The PTI Team noticed a 
surge in Conti attacks and started analyzing the group in September 2021. Our team detected 
a vulnerability in the recovery servers that Conti uses, and leveraged that vulnerability to 
discover the real IP addresses of the hidden service hosting the group's recovery website. 
This report presents valuable data about the inner workings of the semi-automatic recovery 
service that Conti relies on to execute ransomware attacks. Threat intelligence data like this 
helps enterprise executives build resilient cybersecurity defenses and protect sensitive data 
from exfiltration. 


2.2 Conti Ransomware 


Conti ransomware (a.k.a. Hermes, Ryuk], Wizard Spider[9]) is a malicious program that 
prevents users from accessing their data unless the victims pay a ransom. Conti automatically 
scans networks for valuable targets, soreads through the network, and encrypts every 
device and account it can find. 


Unlike similar ransomware variants, Conti uses a ransomware-as-a-service (RaaS) business 
model. The ransomware developers sell or lease their ransomware technology to affiliates, 
who then use that technology to carry out attacks. This business model often includes a 
digital management panel. Conti customers — affiliate threat actors — use this management 
panel to create new ransomware samples, manage their victims, and collect data on their 
attacks. Our investigation showed that Conti threat actors also use extortion and victim 
shaming to coerce victims into paying ransoms. 


Analyst Note : Victim shaming is the use of tactical use of social pressure to push 
victim organizations into fulfilling ransom demands. They may threaten to release stolen 
confidential data, or to email business partners and draw attention to the ransomware 
attack. 
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CONTI Recovery service 


Hi There! This is Conti Team. 
As you already know, we have infiltrated your networks, researched them, and found critical 
vulnerabilities which enabled us to access and exfiltrate your inner documentation and encrypt your 
file servers, SQL servers, subdomains, and local networks. 
Due to poor security of your networks, we have downloaded your critical information with a total 
volume of more than 450 GB. This information includes personal data of your customers, 
employees, and vendors, as well as your legal, financial HR, IT, audit, and compliance directories 
(among other files). We obtained personal documents, phone numbers, contact information, 
consolidated financial statements, payroll, and banking statements. 
Fortunately, Conti is here to prevent any further damages! 
First, we can provide you with IT support by offering a decryption tool, as well as a security report 
that will address the initial issues with your network security that resulted in this situation. 
Secondly, we offer you damage prevention services. At this point, all off your files are about to get 
public on our blog and will be available for anyone, including darknet criminals who are eager to 
abuse your information for their own evil purposes like social engineering attacks against your 
customers and vendors, spamming, and other bad actions. 
Your customers, vendors, employees, and investors (lists are available from you inner 
documentation) will also be notified by us about the breach. This way then can know what to do, 
since their private data is getting public. 
It goes with out saying that this privacy violation will lead to long-term legal, regulatory, financial, 
and reputational damages, including lost contracts and class action lawsuits from those whose info 
was exposed. However, as a part of our deal we offer a solution to prevent this from happening! 
We will first give you a file tree to demonstrate which files we downloaded from your network. Then, 
you can chose certain file names from this listing and we will provide you with these files to prove 
that we have them. Then we transfer all the files that we have back to you and delete them from all 
our hustings and servers, making sure that you are the only one who have access to them. This 
way, all the above mentioned risks will be prevented! 
The price for all of our services is $5,000,000 USD. 
As we received this question before, we would like to make a preemptive clarification: 
No THERE IS NO WAY that we will not fulfill our promises after you pay. To put it simply - the 
chances that Hell will freeze are higher then us misleading our customers. We are the most elite 
group in this market, and our reputation is the absolute foundation of our business and we will never 
breach our contract obligations. 

E Please let me know if your have further questions! 


22 days ago 


Figure 1. Conti threat actors using extortion 


2.3 The RaaS Business Model 


Raas owners employ multiple affiliates who are responsible for breaking into victims’ 
networks and encrypting their filles. These affliates are selected mostly from forums, among 
highly-skilled hackers with backgrounds in penetration testing. People may also become 
affiliates if they have an established network for obtaining access to information from other 
cybercriminals. In both cases, RaaS owners require references from recognized cybercriminals 
before hiring affiliates. 


The Raas business model makes cybercriminal reputation essential to success. Most 
affiliates send a commission between 10-30% of each ransom payment they receive to 
the RaaS owners. The amount for the operators can also be automatically deducted from 
the collected ransom in certain cases. RaaS owners also often provide virtual machines, 
exploitation tools, and other technologies to support affiliates’ attacks. Every affiliate has an 
access to a management panel where they can monitor and communicate with victims. An 
affiliate panel usually includes the following tools : 


e A ransomware executable generator 
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e A separate ransomware decryption application 
e Acryptocurrency payment gateway for victims 
e A commission rate calculator 

e Monitoring tools for victims and statistics 

e Secure chat functionality for victim negotiation 


These tools are designed with non-technical users in mind. Cybercriminals no longer need a 
great deal of technical expertise to run successful attack campaigns. Instead, they maximize 
profit using psychological tactics like extortion and victim shaming. Moreover, affiliates are 
expected to constantly attack and breach new targets. Whenever an affiliate becomes 
inactive for a long period of time, RaaS owners remove that affliate's account, which has a 
negative impact on the affliate’s reputation. 


3 Technical Analysis 


Our team obtained insider data on the Conti RaaS group and its platform, including 
information on its management panel and a step-by-step analysis of the Conti attack kill 
chain. This section contains intelligence about the threat responsible and their affiliates. 
It includes new, never-before-seen data on Conti's active management server and the 
group's techniques, tactics and procedures (TTP). 


This is valuable information that enterprises and cybersecurity vendors can use to detect 
and mitigate Conti ransomware attacks. Organizations equipped with sophisticated threat 
intelligence capabilities can prepare for these attacks and proactively prevent devastating 
data breaches and ransomware attacks from occurring. 


Al Conti's History 


The first indications of a unique Conti ransomware group appeared in October 
2019. The group did not establish its own website until early 2020 on the address 
http://fylszpcqfel7joif.onion. Since then, we've observed data belonging to 567 different 
companies have been shared on the Conti extortion site https://continews.click and 
http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3yóncz3ad.onion. This number 
only represents victims whose names are shared on the extortion site or whose data is 
shared and subsequently deleted. In addition, Conti uses another TOR hidden service for 
serving the stolen victim data. As can be seen in the figure 2 data download links points to 
the domain nilbxxtm5mava3k2r5vzkuuu2g4bp5wlupo3nzry3cóq5rm5sti5ktqąd.onion with a 
random path. 
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Behind their work, you'll find us managing and securing their entities so they can e 
mploy more people, expand into new markets, improve their productivity and struct 
ure their businesses more efficiently. 

We are hands on problem solvers with deep expertise who use the latest technolo 
gy to help efficiently grow, control, simplify and transact your business. 


PUBLISHED 100% 
im 11/11/2021 ®11[435.13 MB] 


I ROOT 
Work.rar 435.13 MB 


nilbxxtm5mava3k2r5vzkuuu2g4bp5wlupo3nzry3c6q5rm5stisktqd.onion/ba7a063b/1dJC9xRy/Work.rar 


Figure 2. Conti's victim data download server 


Based on unofficial statistics, it appears that the number of companies affected by the 
Conti ransomware group is much higher than what we can see on just these websites. 
Expanding its scope of influence day by day, the Conti ransomware currently uses the RaaS 
affiliation model, enabling different threat actors to operate independently of one another. 
The Conti team is currently deploying a ransomware variant known as Conti v3.0 to victim 
systems, and development continues. 
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“GLENBROOK AUTOMOTIVE G... 
véi http://glenbrookautomotivegroup.com 


Q (260) 484-1533 
100 W Coliseum Blvd 
Fort Wayne, IN 46805 


© Glenbrook Automotive Group, LLC is 
an automotive company based out of 100 
West Coliseum Boulevard, Fort Wayne, 
Indiana, United States. 


If you are a client who declined the deal and did not find your 
data on cartel's website or did not find valuable files, this does 
not mean that we forgot about you, it only means that data was 
sold and only therefore it did not publish in free access! 


Search 


“CREATIVE EXTRUDED PRODU... 
dëi http://creativeextruded.com 


Q 1414 Commerce Park Drive 
Tipp City, Ohio 45371 USA 


Phone 800-273-1535 or 
937-667-4485 
Fax 937-667-3647 


© Creative Extruded Products is a 
precision custom profile extrusion and 
injection molding company, specializing in 
small to medium sized profiles as well as 
molded components. Since 1979 Creative 


Web mirror Tor mirror 


“JVCKENWOOD” 
dëi  http://www.ivckenwood.com 


Q 3-12, Moriyacho, Kanagawa-ku, 
Yokohama-shi 

Kanagawa 

221-0022 

Japan 


© JVCKenwood focuses on car and 
home electronics, wireless systems for 
the worldwide consumer electronics 
market, professional broadcast, CCTV 
and digital and analogue two-way radio 
equipment and systems. 


has developed an innovative, experienced 
staff capable of developing the extrusion 
and injection molding systems to solve 
your problems. Our experience has 
developed capabilities ranging from the 
extrusion, injection molding, and 
fabrication. 


PUBEISHED NO PUBERISHER) 252) 


20/2 Ki Ki 
10/20/2021 READ MORE >> 10/19/2021 596 


Figure 3. Conti's extortion blog 


READ MORE >> READ MORE >> 


3.1.1 The Ryuk and Conti Connection 


Based on an analysis made on ransomware samples and a comparison of bitcoin wallets 
used for receiving ransom payments, there is an undeniable connection between Conti 
and Ryuk ransomware teams. They may be the same team, or different teams that share 
members and resources with one another. The first examples of Ryuk were published on the 
https://exploit.in/, a well known underground cybercrime forum, under the name Hermes 
ransomware by a russian-speaking threat actor named CryptoTech in February 2017 
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Cryptotech 


Hermes 2.1 Ransomware The 


and w 


GE A 


Figure 4. CryptoTech’s Hermes Share 


Development of Hermes continued until version 2.1, which is released in August 2018. The 
threat actor replaced the name Hermes with "Ryuk” and begin advertising it for $300. Based 
on e-mail address data and similarities between forum submissions, it's overwhelmingly likely 
that the threat actor CryptoTech developed Ryuk. 


The Conti Ransomware can be understood as a continuation of Ryuk. The two ransomware 
tools share similarities in their libraries and the way they spread. They even share near 
perfect copy-pasted fragments of code. Both Conti and Ryuk rely on the same ransomware 
payload distributors : Trickbot, Emotet and BazarLoader. These are the software packages 
that do the work of actually delivering malicious ransomware files onto victim's networks. 


At the beginning of 2021, ClearSkysec [3] analyzed bitcoin ransom transactions of Conti 
ransomware victims and revealed that they included a wallet address previously used by 
the Ryuk ransomware gang. This confirms the connection between Ryuk and Conti, which is 
now accepted as fact by the global threat intelligence community. 
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3.1.2 Affiliate Leaks 


The Conti group is currently working with an Raas affiliate model and continues to recruit 
new members to the team. However, on 05.08.2021 the Conti team suffered a data leak 
which exposed internal documents, guides, training materials, and much more. This situation 
is common inside the cybercriminal industry, especially among organizations that use the 
affiliate business model. A user named m1Geelka shared information about the groups 
leader and his assistant in a thread on the on the xss.is cybercrime forum, claiming that the 
group treated him unfairly in regards to money. 


Sup, 
Yer | ® Noxanyiicra, o6patite BHMMaHWe, 4To nonbsoBaTenb sa6nokMpoBaH 


m1Geelka 


Top paseoa a He paóora. NetTectepos oun HaSupaior, a KOHeYHO... CoOMpaioT pe6AT ANA oTpaSoTKH ceTe Active Directory, Nlokep iosaior - Conti. Casa Bam nx jp-aapec cepsepos KoGanbTa n Tuna matepnanbi oóyuenna. 1500$ aa 
KOHe4HO HaGupaioT noxos H AenAT Mexay co60ii Det. a nallaHOB KOPMAT TEM YTO AaAyT 3HATb Kora KepTBa sannaTHT. AAMHH B YaTe Óbin - Tokyo, ero xa6a - cicada3301@strong.pm . 3HaiTe nvgopaca s nnyo! Kyna HyxHo A ve oTnpasun 
29.04.2020 Aere NosTOMy NYCTb euer MaHHbIe Cepsepa H Bce OcTaNbHoe. A ANA paborAr cépactiBalo Bce MaTepHanbi No OÓyYeHnio =) 


52 All good 
27 ` Va var s Tope - bk7aar42t5nn4hx6se4gbxy/rijvz4z3hqwtekbhySorv7yq2objaSad.onion 
Tor kro Ha6upaer Ha Tuna pabory NeHTectepon eS - https://xss.is/members/228120/ ero xa6a - it_work_support@xmpp.|p 
Bnonenug 
e his is the connect dalog You Tis is the connect dalog 


on TE at seers 
Coupe 222.PNG 7777 PNG. 


Manege like ` 3 Uer GOreer 


Figure 5. Affiliate Leak Post 


Afterwards, miGeelka uploaded a large cache of Conti group-related data, including 
training materials used by the affliates, and shared the link to the group's SendSpace 
file-sharing site in the same post. This data contains a high volume of tactical information 
about Conti, and valuable intelligence about the operations of the threat actors responsible, 
such as images of the CobaltStrike servers that the Conti group actively uses. 
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E Attacks Reporting Help 
+E- HTI -ERAL ETATE a Pm Re 


external internal ~ listener user computer note pr 


Connect 


This is the connect dialog. You should use it to 
connect to a Cobalt Strike (Aggressor) team server. 


162.244,.80.235 
85.93.88,165 
|185.141.63.120 


Host: 82.118.21.1 


Password: [+i 


Connect j Help | 


EventLog X | Listeners x | 


name « payload host port bindto beacons 


|. Edit... |. Remove j Restart j Help. ] 


Hookah@82.118.21.1 Hookah@185.141.63.120 |Hookah@ 162.244. 35, 


Figure 6. Cobaltstrike Servers Leak 


Figure 7. Conti Educational Materials for Affiliates 


This list of topics was included inside the leaked training materials : 


e How to build a Cobalt Strike executable 

e An introduction to avoiding security products using compiler-based obfuscation 
techniques. 

e A tutorial on using rclone to pull victim data to secure cloud storage accounts on MEGA. 

e How to establish a remote connection to the victim's network and gain persistence 
using AnyDesk and Atera. 

e How to connect to hacked networks with RDP using Ngrok secure tunnel. 

e A guide to performing SMB brute-force attacks. 

e A tutorial on operating system and anonymizing internet traffic via Tor network. 

e A how-to on privilege escalation and gaining administrative rights inside a target 
network. 


It's important to note that many of these technologies are readily available software 
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products with legitimate commercial use cases, and that cybercriminals are abusing these 
technologies to attack victims : 
e Cobalt Strike is a commercial, full-featured, remote access tool frequently used in 
cybersecurity event simulations. 
e rclone is a command-line program that helps users manage cloud data storage using 
code. 
e AnyDesk and Atera are commercial remote desktop applications that provide 
platform-independent remote access to personal computers and other devices. 
e ngrok generates an interface where users can introspect all HTTP traffic running over 
specified tunnels in real-time. 
e Tor is an open-source web browser designed for secure, anonymous communication. 


3.2 The Conti Attack Kill Chain 


Conti ransomware is constantly changing its attack pattern on a daily basis. It relies on 
up-to-date security exploits such as PrintNightmare[7] and FortiGate[10], which are known 
exploits with official patches available. However, many users still have not downloaded the 
appropriate patches and remain vulnerable. 

e PrintNightmare (CVE-2021-1675, CVE-2021-34527, and CVE-2021-36958) works by 
escalating the Windows Print Spooler service permissions to executive privileged 
operations. An attacker can use this exploit to install programs; view, change, or delete 
data; or create new accounts with full user rights. 

e FortiGate firewall remote code execution (CVE-2018-13379 and CVE-2018-13374) is a 
buffer underwrite vulnerability that impacts Fortigate VPN servers to gain access to 
enterprise networks. 

Conti knows that many users don't update their security patches very frequently. Its 
affiliates count on users waiting for days or even weeks before downloading and running 
security patches. With a highly automated Raas business model like the one Conti uses, 
it's possible for attackers to compromise unpatched systems mere hours after patches get 
released. 

In the following sections, each step of the overall Conti attack kill chain will be explained, 
including every technique, tactic, and procedure that Conti affiliates use to attack their 
victims. Since Conti is a RaaS platform, every individual attack may use unique vectors and 
exhibit unique behaviour — there is no one-size-fits-all Conti ransomware attack variant. 


3.2.1 Target Selection 


Since the Raas service model gives affliates a great deal of flexibility over how they choose 
to operate, Conti affiliates use a wide range of target selection methods. These include : 

e Email phishing 

e Mass vulnerability scanning 

e High-end malware distribution software 

e Credential stuffing 

e Fake websites, impersonated phone calls, and similar social engineering tactics. 

Of these target selection methods, email phishing is by far the most common. Another 
common method used by Conti affiliates is mass vulnerability scanning, which relies on 
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automated bots checking publicly exposed networks for known vulnerabilities. We have also 
seen Conti affiliates using high-end Malware-as-a-Service technologies such as Trickot, 
Emotet, and BazarLoader for distributing Conti ransomware. 


3.2.2 Deployment and Execution 


In the example our team analyzed for this report, the attack kill chain begins with a phishing 
campaign that installs the BazarLoader backdoor onto target systems. 


Phishing campaigns often take advantage of Microsoft Office and Google Doc links, send via 
email. Attackers use these links to redirect victims to malicious sites where they download the 
BazarLoader|6] payload. At this point, the reconnaissance phase begins. The ransomware 
will try to discover all directories and network shares inside the victim's system and expand 
throughout. 


Sign in to use your favorite productivity apps from any device 


T ETa ğ o 


GET EE A 


You Have Received (2) Pdf online 
Message ID "5467454678948-546" 
Reference: MLK355344343434-S5894 22/02/2021 


This E-mail was sent from Scanner "RNP583879051AFA" 


CLICK HERE TO VIEW DOCUMENT>>> 
e em 
Adobe POF-Microsoft Online 2021 
BE Microsoft | Office Prosxts ~ Resource emplates Suppo My account | Buy now 


Figure 8. Bazarloader phishing page 


Based on forensic investigations on multiple Conti victims, our Team observed that before 
launching Conti ransomware, attackers often try to identify mission-critical systems like 
domain controllers or backup servers. If they can find these systems early on, they can 
trigger the next phase of the attack faster. 


Once discovery and reconnaissance is complete, the data exfiltration phase begins. Conti 
attackers evaluate the data inside the victim's system and decide whether it is important for 
the target company. If the data is important enough, attackers will start exfiltrating data to 
an anonymous account on the cloud-based anonymous file upload service called MEGA. 
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The tool attackers use to do this is called “rclone”. 


Once the first two stages are complete, Conti begins encrypting all fles and backups 
in the target system, including accessible network devices. The Conti ransomware uses 
ChaCha8 encryption with randomly generated keys for each file inside the target system. 
Every generated key is encrypted with a RSA-4096 public key and stored at a specific offset 
of each file. These keys are used to identify the victim, manage negotiation, and eventually 
generate decryption codes upon payment. 


3.2.3 Demand and Negotiation 


At the end of the ransomware execution phase, all important files of the victims are 
encrypted, backups are deleted and a readme.txt file containing the ransom note is 
dropped on the target system desktop. The Conti group uses two different ransom note 
formats. 


The first ransom note directs victims to  https://contirecovery.best/ and 
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrącqą5o0oad.onion/ websites, 
which contain instructions for purchasing decryption keys from Conti affiliate attackers. The 
ransom note also contains instructions about installing the TOR browser in order to access 
the Conti group's hidden web service. 


a readme.txt - Notepad = D x 


File Edit Format View Help 
All of your files are currently encrypted by CONTI strain. 


As you know (if you don't - just “google it"), all of the data that has been encrypted by our software cannot be 
recovered by any means without contacting our team directly. 


If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it 
on the data of the lowest value. 


To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. 
You can contact our team directly for further instructions through our website : 


TOR VERSION / 
(you should download and install TOR browser first https://torproject.org) 


http: //contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5Soad.onion/ 


HTTPS VERSION : 
https: //contirecovery.best 


YOU SHOULD BE AWARE! 


Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on 
out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. 


---BEGIN ID--- 


---END ID--- 


Figure 9. Conti ransom note inside the victim system 


There is a unique victim ID value at the end of this ransom note (readme-txt). It is the string 
enclosed with -BEGIN ID— and END ID— delimiters. Victims are expected to upload their 
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ransom note to the Conti's recovery service website. Once a victim uploads a valid ransom 
note, the website sends them to a chat page for negotiating with the affiliates. This type of 
ransom note format carries data leakage risks for companies. The victim IDs are hard-coded 
in the ransomware itself. This means that whenever malicious files are uploaded to any 
malware service, or the IDs get leaked, the chat becomes accessible to anyone. 


The second ransom note includes one or two Protonmail accounts. Victims are expected 
to send their company information to those Protonmail mailboxes, which are operated by 
Conti affiliates. Victims are recognized by victim-specific Protonmails here, just like the victim 
IDs produced in the first example. 


©) CONTL_README.txt - Notepad 


File Edit Format View Help 
Your system is LOCKED. Write us on the emails: 


neucomsiocia198@@protonmail.com 
niggchiphoter1974@protonmail.com 


DO NOT TRY to decrypt files using other software. 


Figure 10. Conti ransom note with e-mails 


As stated in 3.1, there are many similarities between Ryuk’s ransomware and Conti's. This is 
particularly evident when comparing Conti and Ryuk ransom notes. Both ransoms use a 
similar structure. There are victim-specific e-mail addresses created with Protonmail and a 
BTC wallet in both examples[2]. 
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©) RyukReadMe.txt - Notepad — 


File Edit Format View Help 
Your network has been penetrated. 


All files on each host in the network have been encrypted with a strong algorithm. 


Backups were either encrypted or deleted or backup disks were formatted. 
Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. 


We exclusively have decryption software for your situation 
No decryption software is available in the public. 


DO NOT RESET OR SHUTDOWN - files may be damaged. 

DO NOT RENAME OR MOVE the encrypted and readme files. 

DO NOT DELETE readme files. 

This may lead to the impossibility of recovery of the certain files. 


To get info (decrypt your files) contact us at 
WayneEvenson@protonmail.com 

or 

WayneEvenson@tutanota.com 


BTC wallet: 
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk 


Ryuk 


No system is safe 


Figure 11. Ryuk ransom note 


Once the unique ID is uploaded to Conti's recovery system, it directs victims to a login page. 
On the login page, affiliates request the victim's names and e-mail addresses. Once they 
have this information, the web service provides a chat page with a standard greeting 
message (Figure 1). 


y | If you are looking at this page right now, that means that your network was succesfully 
breached by CONTI team. 


All of your files, databases, application files etc were encrypted with military-grade 
tv algorithms. 


If you are looking for a free decryption tool right now - there's none. 


Antivirus labs, researches, security solution providers, law agencies won't help you to 
( i O N | | decrypt the data. 


If you are interested in out assistance upon this matter - you should upload 
e C ove ry README.TXT file to be provided with further instructions upon decryption. 


Browse... | No file selected. 


Web mirror Tor mirror 


service 


Figure 12. Conti main page 
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At this stage, affiliates send the total captured file size and enumerated system information 
to the user. This proves that the data has indeed been compromised. 


CONTI Recovery service 


Hello, are you ready to negotiate? 
6 days ago 


As you already know - your network and all of your data were encrypted by CONTI team. Besides 
the encryption process we've downloaded a large pack of your internal documents and files that 
will be published in case our negotiations fail. How it happens can be seen on our website 
The recovery price is $100,000. If you want to make sure we can recover all of your data - you 
can send us the two files of your choice and we will decrypt them free of charge. 
If we reach mutual agreement your will be provided with decryption tool, none of your internal data 
will be published and you will be provided with security tips on how to avoid further breaches. 

® We strongly recommend to review our offer in a timely manner. 

6 days ago 


Hi are you there?? Kindly help us please Q) 


Kindly help us we are ready to pay you 


O 
5 days ago 


Price is very high? can you provide some discount to us? 


ays age 


How much time will it takes to decrypt after sending money to you 


We will give the decrypt app immediately after payment and you can decipher everything for an 
hour 


5 days ago 


In addition, we stole your 50 gigabyte data 
@ Within 24 hours, we will download the list of what downloaded from your network 


5 days ago 


tell us where we have to pay and kindly provide some discount please © 
5 days age 


Do you wait for listing or want to pay fast? 
5 days ago 


@ full-listing legacy.txt [ 4MB ] 


5 days ago 


Figure 13. Victim system information messages 


At this point, if the attacker and victim reach an agreement, the victim sends bitcoin to 
the designated address and the attacker produces a decryption key using the victim's ID. 
However, we have found evidence that some Conti affiliates simply take the money and 
disappear, refusing to provide the decryption key as promised. If the attacker sends the 
decryption key to the victim, the link includes a user manual 14 that shows how to use the 
decryption application. All information retrieved from the victim's systems is uploaded to 
a free file sharing site where it can be deleted, and that system data is shared with the victim. 
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Payment confirmed. Soon we'll send you all the required info and data. 


19 hours ago 


We'll send the data as the transaction will be confirmed in the Blockchain. 
18 hours ago 


Here is your data: 


mega.nz 


E a 
16 hours ago 


The decryptor is being prepared now. 


16 hours ago 


Te eS Sas e: em Som zem me ees a gege Se _decryptor.exe_ 
[108kB ] 
16 hours ago 
Decryptor: 
1) Launch the decryptor under Administrative rights 
2) Wait till the decryptor window is closed 
3) os of the files haven't changed the extension back to the original - repeat 1 
an 


16 hours ago 


Figure 14. Post-agreement messages 


Conti affiliates will also send recommendation messages 15 telling victims how to protect 
against future attacks. 


We have penetrated your network using email compromise. So, first of all - 
provide all your employees with strict instructions regarding security measures. 
Basic recommendations regarding network: 
1. Implement better email filtering policies 
2. Implement better password policies 
Së deet blocking some particular attacks like pass-the-hash and pass-the- 
ticket 
4. Update all of your internal systems to the latest versions 
5. Review network segmentation and take care about buying hardware firewalls 
with filtering policies 
6. Block kerberoasting attacks 
7. Conduct full penetrations tests (both external and internal) 
8. Implement better AV/EDR systems 
9. Review group policies, remove domain and local admin rights for some 
users. 

(Gi 10. Implement better DLP software system 


5 days ago 


Figure 15. Recommendation message 


3.3 Management Panel 


The PTI Team successfully gained access to several parts of Conti's Raa infrastructure. This 
gave us cutting-edge insight into the way Conti manages its affiliates and ransomware 
technology. 
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We gained access to a victim landing page (recovery service) and an 
admin management panel hosted as a TOR hidden service on this address 
http://contirecj4hbzmyzuydyzrvm2c65bImvhoj2cvf25zqj2dwrrqceq5oad.onion/. 


We located the subject management panel as well /adminbdpmé6p47p2ye3k5f.php, which 
is mainly used for managing victims, affiliate accounts, and uploaded files. 


CONTI.Auth 


Login 


Password 


Figure 16. Conti admin panel login page 


Our threat intelligence team was also able to access a hidden service that provided key 
information on the underlying technology stack Conti developers rely on. By analyzing the 
source code of Conti's recovery service and admin management panel, our team discovered 
a hidden service using dockerized MySql database bound to 127.0.0.1:3327. 
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<?php 

error_reporting(E ALL) 

set_error_handler(function ($e 
throw new 


}) 
define("start true) 


' AZ$NzU34ETQUPrJ@' 


require once("cfgayols 3 
new ("my sho ", $dbp) 
setAttribute( IN) 
setAttribute( 


function filterText($ur 
r 


preg 
str 


', trim($url)) 
¢ 1) 
Li 
function generateRandomString($length = 10) 
{ 


return substr(str_shuffle(str_repeat($x = '01 9abcdefghi vw GHIJKLMNOPQRSTUVWXYZ ceil($length / strle 


Figure 17. Conti admin panel source code 


The victim recovery service panel contains a submit button, where victims are supposed to 
upload the readme.txt files created on their devices. We've highlighted the regex pattern 
that detects the victim-specific ID in the figure below,18. 


if (Sc !== false) { 
$_SESSION['captcha'][Sc] = ""; 
if ( (S_FILES["f"]) £& $_FILES["f"]["error"] == © 28 $_FILES[" 
) ($_FILES["f"]["tmp_name"]); 


(S_FILES["f"])) { 
if (S_FILES["f 

$s 

Stext = 

Stext 
Stext 
Stext 
Stext 
Stext 
Stext 
Stext 


F It H (S_FILES["f"]["name"]))); 
(Stext)); 
J (Stext)); 
E (Stext)); 
"n", $s, (Stext)); 
(trim(Stext), 
( (Stext, ©, 64)); 
(Se, (Stext)); 
s("Bad file. S: ".h filesize((int)$_FILES["f"]["size"])." N: ".Stext); 


Hunn 


} else { 
dLogs("Upload file failed. E: ".$ FILES["f"]["error"]); 


} 
} else { 
addLogs("No file to upload"); 


} 
$_SESSION['lError'] = 1; 
die($reload); 


3}---end id-- $code, $matches); 


ot regex match"); 


Figure 18. Recovery service readme.txt parser code 


As the following image shows 19, every uploaded file is stored under the /files/ directory, with 
a unique name and following format ` MD5(current_time+random_string), which prevents file 
name brute force attacks. 


Q PRODAFT 22 / 37 


DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall 
be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal 
Data Protection Law. It shall be noted that PRODAFT provides this information “as is" according to its findings, without providing 
any legally applicable warranty regarding completeness or accuracy of the contents. Therefore, neither this report nor any of 


its contents can be used as admissible proof before legal authorities. 


TLP:WHITE Conti Ransomware Group - In-Depth Analysis 


$data = 
$data["orig_name"] = 
$data["orig_name"] = ($data["orig_name"], 


. $_SESSION[" 


($_FILES["file"]['tmp_name'], "./files/" . $ SESSION["code"] . "/" . $data["name"]); 


= 1, “has_new = 1, updated at = UNIX_TIMESTAMP(), "Lost pong = UNIX_TIMESTAMP() WHERE "190 = ? LIMIT 1;"); 


s_ hide’, “orig_name’, "chat 190, “is A a e cated at, "read at, “ip’, "wë, “file’) VALUES ( 6, ?, ?, 1 

.$data["orig_name"].' [ '.human_f e 
de"], $text, $ip, $ua, $data["name"]]); 

die("true"); 


Figure 19. Uploaded content hiding 


3.4 De-Anonymization 


One of the main objectives of our investigation was revealing the identity of the Conti 
affliates, retailers, developers and servers. Our management panel analysis revealed a 
great deal of information regarding the servers that this group uses. 


One of the most valuable pieces of threat intelligence we discovered is the the real IP 
address of Conti's TOR hidden service and contirecovery.ws, and 217.12.204.135, on Tuesday, 
28 September 2021 21:30:03 UTC. 


<?php 
ZE 0 (estarta a 
($_SERVER["SERVER_PROTOCOL"] . " 404 Not Found"); 
die(); 


$dbp = "eVc4rEYBe"; 
$domainTor = "http://contirecj4hbzmyzuydyzrvm2c65b Lmvhoj 2cvf25zqj2dwrrgqcqg5o0ad.onion"; 


SdomainWeb = "https: //contirecovery TC eh 


Figure 20. Domain definitions inside the Conti recovery service source code. 


Additionaly, our team was able to identify the operating system details of the server 
hosting the TOR hidden service for Conti. The host is a Debian server with host name 
“dedic-cuprum-617836". We believe the numeric value at the end of the host name is an 
invoice number for the server, assigned by the hosting company ITLDC. 


Linux version 4.9.0-16-amd64 (Debian 6.3.0-18deb9u1) #1 SMP Debian 4.9.272-2 
(2021-07-19) 


Lei 


Console 1. OS Details of the Conti onion server (uname -a) 
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217.12.204.135 dedic-cuprum-617836.hosted-by-itldc.com dedic-cuprum-617836 


/> 


Console 2. Hostname Details of the Conti onion server (/etc/hosts) 


The captured IP address with the corresponding timestamp have been shared with law 
enforcement authorities for further legal action against the Conti group and its affiliates. 


The next image shows the contents of htpasswd file of the subject host. The password hash 
can be used by other researchers in future Conti investigations. 


user : $apr1$7F5MK3J3$/IX4zqKicgXi3hXxS570WZ/ 
DE 
Console 3. Htpasswd file of the Conti onion server 


Throughout the analysis phase, our team constantly monitored network traffic entering and 
leaving Conti's recovery servers. This information will improve anti-ransomware software 
and lead to more effective filtering and blacklisting of Conti-related traffic. We found the 
following IP addresses communicating with the subject Conti server. 


e 1.177172.158 

© 104.244.76.44 
e 122.51.14986 
e 17691.211 

© 176998.228 

e 18.27197.252 
e 185.130.44.108 
e 185.220.103.4 
e 2.82.175.32 

e 217160.251.63 
e 218.92.0.211 

e 45.153.160.134 
e 46.101.236.25 
e 49234.143.71 
e 51.75.171.136 
e 54.36.108.162 
e 6.11.76.81 

e 61.177172.158 
e 64.113.32.29 
e 66.211.197.38 
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User | Connect With | Connected From Login Date (GMT+3) Login Activity 
root | pts/O 892.163.249.244 Wed Nov 10 14:11 - gone no logout 
root | pts/O 107189.31.241 Wed Nov 10 09:09 - 09:10 (00:01 
root | pts/O 185.220.103.5 Mon Oct 25 15:08 - 15:50 (00:42 
root | pts/O 192.42.116.25 Fri Oct 15 20:25 = 2028 (00:03 
root | pts/O 18.27.197.252 Mon Oct 4 17:47 - 17:47 (00:00 
root | pts/O 45.153.160.134 Mon Sep 27 14:12 - 14:18 (00:05 
root | pts/O 185.220.103.4 Mon Sep 27 09:10 - 09:13 (00:03 
root | pts/O 185.130.44.108 Thu Sep 23 21:08 - 21:26 (00:18) 
root | pts/3 104.244.76.44 Thu Sep 23 08:04 - 08:04 (00:00 
root | pts/2 104.244.76.44 Thu Sep 23 08:01 - 13:02 (05:01) 
root | pts/O 64.113.32.29 Wed Sep 22 13:46 - 15:40 (1+01:54) 
root | pts/O 54.36.108.162 Wed Sep 22 12:54 - 13:10 (00:16) 


Table 1. Conti Hidden Server SSH Connections 


By analyzing the IP addresses communicated with Conti servers, we discovered that most of 
the connections originate from TOR exit nodes. Two of the IP addresses 176.9.1.211:9001 and 
217.160.251.63:29001 are constantly connected to the Conti server, which could indicate that 
these are TOR entry nodes used for Conti's hidden recovery service. 


During this phase of the investigation, the PTI team discovered multiple victim chat sessions 
and captured login credentials for MEGA accounts used when extorting victims’ data. Our 
team has revealed the connecting IP addresses, dates, the purchase method, and the 
software used for accessing the file sharing and upload service. 
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tuuuu rerty 


Dpokemail.net 


© 


Pro I 


Member Since 


September 9, 2021 


Pro Plan Expires On 
October 11, 2021 


Figure 21. Mega account 


Analyzing the MEGA account in above image 21 revealed that the threat actor created 
the account using the TOR browser and made the purchase using Bitcoin. This transaction 
occurred while the ransomware attack against the victim was happening. Afterwards, this 
account was used with a variety of different operating systems before Conti attackers 
uploaded company data to this account using the rclone 3.2.2 tool. 


Table 2 contains the login application, IP address, and access date for the MEGA account 
discovered by the PTI team. 
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MEGAsync-on-Linux 80.147.24.162 10/7/2021,06:03 


Opera-on-Windows 107189.5.68 10/6/2021,20:54 


MEGAsync-on-Windows 45.128.153.242 10/6/2021,18:38 


Chrome-on-Windows 94.242.253.13 9/23/2021,07:02 


MEGAsync-on-Windows 142.4.212.27 9/14/2021,15:45 


rclone/v1.53.3 176.98.160.187 9/9/2021,14:35 


Table 2. Conti Full List of Mega Account Information 


Our analysis of victim chat logs revealed that several other Bitcoin wallet addresses were 
shared with some victims. The PTI Team is still conducting taint analysis on these wallet 
addresses to detect shared spending or laundering attempts. 


Sorry we made mistake in 20 addresses. Will provide new addresses in a minute 
we 


®) 


HDO 


16SJxMsQzvMm3vD3qofv53y6fYDg1NSQr9 
17jKb8NKdjZS6dt7KURfÍBGvDHehByJxLPu 
1Hk6JKhgWotFgtvaRA1HiH1G7aQCS5jXYFi 
INyczMHYHsW5zedGBWjPrO2TqynZUEbZgp 
1DzDQg5Y3cfCHNaDys917ptLsqiAqgDAKN 
19c8r49KtJKuuNsyktPAV886zVaa4GPbUb 
19ho3zh5FSiIUXS5DQitqBMeEnG2KBKQwGfh 
15FL1ibRgr9RBGGe7YSkwpLxdFZYySHfPh 
LAL5vDbV1J6QjGpbi9s6PnCLhmgqXmAgRD 


Figure 22. Conti threat actor giving out additional wallet addresses 
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4 Statistics and Observations 


The following graph (See Figure 23) displays changes in the number of Conti victims over a 
one-year period. The victim data were gathered from the Conti extortion blog (See Figure 3 


[5]. 


— Victim Count 


Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct 


Figure 23. Conti Victim Count 


It's clear to see that the number of victims has grown rapidly in the past year. The data 
contained in this report will help law enforcement authorities act against the Conti 
ransomware group and its affliates, which should result in a drastic reduction in the number 
of victims in the near future. This report will inform ongoing investigations that could lead to 
the complete neutralization of Conti itself. 


4.1 Known Recruiter Profiles 


Ransomware groups hire affiliates from deep web and dark net forums, competing to attract 
new affliates into their network. These recruiters generally create topics in well-known 
forums and discussion boards. In order to become an affliate, one must have impressive 
skills, demonstrate motivation, and provide references from reputable cybercrime figures or 
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organizations. 


Threat actors like the Conti team are both secretive and selective when it comes to recruiting. 
They recruit members only from experienced cybercrime organizations with high reputation, 
using private communication channels. The posts and forum topics of Conti recruiters often 
include penetration testing job ads and tooling projects. The following example shows a 
penetration test job announcement written by Conti recruiters. 


Nextectep? Torga K Ham! 4 
[Bob] - search, execution of wor 


AE yT work, June 2 
Reply to this topic 


IT_Work 
megabyte 
eco Viujem n Ha6npaem B KoMaHAy NeHTecTepoB! 


TpeGopanna: 

- Tlonumanne crpyitypbi Active Directory onbiT agmuHncTpuposaHna Windows 
- MonumaHne ocHos MapwipyTusayinn Nat, proxy, socks, http, https, ssh 

- Monumate paĝoTbi cereBstx npoToKanios 

- SHaHie nioGoro M3 A3bIKOB NpOTPAMMNPOBAHNS 

- 3Hanne pentest (rectuposanne Ha GesonacHocTs) onbo mee 


Ycnosna: 

-Mbi npegnaraem Bam CBOeBpemeHHyio sapnnary B pasmepe oT 1500$ (BbinnaTbi no Kypcy Ha Aen, oppen B btc) 
-PaGoTa nonHocTbio YAANEHHAR, 5 Auch 8 Hegenio, CB MBC BbixogHbie. 

-Tpacbnk Gefom c 15-00 an 01-00 

-OnnaunBaembi omnyck 


-Y Hac B yCNOBNAX ECTb NOCTOAHHbIÑ pOCT - Ha KAKAbIÑ Yonex Bbi NoNyYaeTe NOCTOAHHYK NPNGABKY MOC MrHOBEHHBI Gene 


Ecnn Bac sanHTepecoBana sta BAKAHCNA, BbILINMTe CBOE pE3IOME B NM - ECV BAWA KAHAMAATYPA HAC 3aMHTepecyer - Mbi BbILNEM ONNAYHBAeMOE (20T.p.B GTY NO Kypcy) TecToBoe saqaHne. 


Figure 24. Pentester call for application post 


The relevant post was shared by a Russian-speaking threat actor named IT_Work on the 
cybercriminal forum exploit.in. In the comments to the related post, IT_Work mentions that 
only those who can speak Russian can be included to the team. By combining the data 
gathered on the IT_Work profile and the Conti affiliate data leak 3.1.2 already mentions, the 
PTI team has gathered a list of threat actors identified as members of the Conti team : 


e Conti Admin 

Nick : Tokyo 

Jabber ` cicada3301l@strong.om 
e Assistant 

Jabber : it_work_support@xmpp.jp 
e Recruiter 

Nick "IT Work 

Username ` megabyte 


This information will prove vital in helping enterprise cybersecurity teams and their vendors 
identify and mitigate security threats that originate from within the Conti cybercrime network. 
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5 Money Flow 


This section of the report is written by Elliptic Ltd. [8]. Elliptic is the leading provider of 
crypto compliance and blockchain analysis solutions globally. 


5.1 Analysis of Conti ransom payments 


T13 bitcoin addresses were identified by Prodaft during this investigation. 100 of these 
addresses related to a single ransomware attack in which the victim requested to pay Conti 
in 100 separate transactions in order to hide the payment from tax and audit authorities. As 
a result, the addresses identified during this research are believed to be connected to 14 
separate ransomware incidents. 50% of these attacks resulted in a payment to Conti. 


Elliptic analysed the seven addresses to which ransom payments have been made. Conti 
operates as a Ransomware as a Service model. RaaS transactions characteristically split as 
the proceeds of each transaction is distributed between the ransomware operators and 
affiliates, with the exact percentage split differing between Raas groups. In most instances, 
the affiliates are awarded the majority of the ransom payment, with the ransomware 
operators taking a smaller percentage. However, on 22 September 2021, the US Cybersecurity 
& Infrastructure Security Agency (CISA) issued an alert in which they described Conti's affiliate 
model as wage-based, as opposed to operating a traditional RaaS payment model. 


5.1.1 Identification of consolidation cluster 


Of the seven active addresses, four were found to send a percentage of their incoming 
funds, either directly or indirectly, to the same address cluster (hereafter referred to as "Conti 
consolidation cluster"). For three of these addresses, almost exactly 22.5% of the original 
incoming funds were sent to this cluster. As a result, it appears that this consolidation cluster 
may represent the operator portion of these ransomware payments. 
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Figure 25. Elliptic Forensics 


A further 31 incoming flows to this cluster were identified which appear to be ransomware 
payments. The majority of these send between 22-23% of their incoming funds either directly 
or indirectly to the Conti consolidation cluster. This common splitting pattern indicates that 
Conti affiliates may be awarded a percentage of the ransoms they successfully obtain, 
potentially contradicting CISA’s assessment of Conti operating a wage-based affiliate 
payment model. Of interest, several further payments were identified in which the incoming 
funds originate from a split of a previous ransom payment, as demonstrated in the graph 
below. It is unclear whether this demonstrates an attempt to obfuscate the flow of funds, or 
a payment to the Conti operator for other services. 
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Figure 26. Elliptic Forensics 


Researching the addresses identifed by Prodaft and the incoming payments to the 
consolidation cluster indicates that since July 2021, Conti has received over 500 bitcoin in 
ransomware payments, valued at over $25.5 million, of which $6.2 million has been sent to 
the Conti consolidation cluster. 


$12,500,000.00 

$10,000,000.00 
2 
c 
£ 

E $7,500,000.00 
a 
E 
O 
£ 
D 

D $5,000,000.00 
= 
Q 
Oo 
£ 

$2,500,000.00 

$0.00 

July 2021 August 2021 September 2021 October 2021 November 2021 
Month 


Figure 27. Monthly ransom payments 


Q PRODAFT USTA. a2/ 37 


DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall 
be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal 
Data Protection Law. It shall be noted that PRODAFT provides this information “as is" according to its findings, without providing 
any legally applicable warranty regarding completeness or accuracy of the contents. Therefore, neither this report nor any of 


its contents can be used as admissible proof before legal authorities. 


TLP:WHITE Conti Ransomware Group - In-Depth Analysis 


5.1.2 Destination of funds ` Conti operator 


The consolidation cluster, believed to be controlled by a Conti operator, was first active 
in December 2017 when it received one incoming payment of 1.8 bitcoin, which was later 
split and sent to a variety of prominent exchanges. After this time, the consolidation cluster 
was not active again until mid-2021. In August 2021, 0.07 bitcoin was sent from this cluster 
to a prominent exchange known to be used by ransomware groups. Aside from this, Conti 
have not attempted to cash out or exchange any of the bitcoin they have received into this 
cluster. Blockchain activity indicates that the remaining 123.06 bitcoin is currently held in an 
unhosted wallet. 


5.1.3 Destination of funds : Conti affiliates 


In addition to investigating the flow of funds into the consolidation cluster, Elliptic also 
investigated the ransomware proceeds which are believed to have been sent to Conti 
affiliates. One cluster was identified which has received payments from both Conti and 
DarkSide, which may indicate that an individual has worked as an affliate for both of these 
groups. 


consolidation 
cluster 
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Figure 28. Ransom payments over time 


Conti affiliates appear to conduct a sophisticated money laundering operation, avoiding 
obvious consolidation of funds. Due to the recent nature of some of these payments, some 
affiliate funds have not yet been moved. Despite this, Elliptic has identified affliate funds 
being sent to a variety of services, including exchanges, coin swaps, privacy enhancing 
wallets including Wasabi, and the Russian-language darknet market Hydra. 


5.1.4 Identification opportunities 


This research indicates that identifying individuals associated with Conti through following 
the flow of funds is likely to be challenging, particularly given Conti's sophisticated money 
laundering techniques and use of services such as Wasabi wallet. Furthermore, whilst services 
including exchanges implement KYC policies, it is possible that groups such as Conti deposit 
and withdraw from these services in small amounts, which do not trigger KYC requirements. 
However, transaction screening tools can provide financial institutions and cryptocurrency 
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exchanges with the ability to identify incoming transactions from illicit sources such as 
ransomware payments. Elliptic’s clients, including financial institutions and cryptocurrency 
exchanges can be alerted to any client deposits which originate from addresses connected 
to Conti, by using our transaction and wallet screening solutions `. 


6 Conclusion 


Bold, headline-making cyberattacks like the Colonial Pipeline attack in May 2021 showed 
the world how cybercriminals can deeply impact day-to-day life for millions of people. 
Enterprise executives and their risk advisors need in-depth threat intelligence in order to 
mitigate these threats while minimizing the damage they cause. The work of our PTI team is 
crucial towards understanding the cybercrime landscape and developing solutions that 
improve enterprise resilience against cyber threats and reduce risk exposure in the event of 
an attack. 


In this report, we presented the inner workings of one of the most well-known ransomware 
groups in the world. However, the cybercrime industry moves rapidly. Many ongoing 
technological and cultural changes — like the widespread acceptance of cryptocurrency 
and the ongoing shift towards remote and hybrid work — will significantly impact how 
cyberattacks occur in the near future. 


In order to tackle the complex challenge of disrupting cybercriminal organizations, 
public and private forces need to work collaboratively with one another to better 
understand and mitigate the wider legal and commercial impact of the threat. Our research 
sheds much-needed light on the inner workings of cybercriminal organizations, helping 
cybersecurity professionals, lawyers and insurance companies identify operatives and their 
external connections when investigating security incidents. 


Enterprise leaders and cybersecurity executives who invest in threat intelligence services 
gain valuable insight into the unique risk profile of their organization. This kind of intelligence 
enables them to make comprehensive, data-based decisions about the overall exposure of 
their business e relative to real-world threat actor tactics and techniques. 


If there is no choice but to negotiate, enterprises equipped with sophisticated threat 
intelligence capabilities like ours stand a far better chance of gaining the upper hand 
and preventing catastrophic damage to their brand, their users, and their stakeholders. 


1. httos://wwwelliotic.co/solutions/crypto-transaction-monitoring 
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PRODAFT was founded as a cyber threat intelligence company in 2012. 


Aimed at creating a difference through expertise, the brand has 
significantly evolved thanks to its apposite technologies, all of which are 
developed in-house. 


By looking at cyber threats from a realistic perspective, PRODAFT has 
always positioned itself as a “professionally unconventional” provider in 
its field, thanks to a suite of proprietary solutions. 


PRODAFT continues to serve a range of global brands and critical 
industries via its threat intelligence, penetration testing and security 
research teams. 


To ensure proactive nature of PRODAFT’s solutions, our operational 
cycles are constantly reviewed and adapted to emerging challenges 
within cyber arena. Owing to this constant state of flux, PRODAFT is 
always prepared for the new realities and challenges of cyber security. 


Our clients will never find themselves blindsided by any newly evolving 
cyber trend. Our commitment in this regard is the main reason behind 
>  PRODAFT’s popularity among high-profile organizations. 


Contact: info@prodaft.com 
Address: Y-Parc, rue Galilée 7, 1400 Yverdon-les-Bains, Switzerland 
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